More on ROFL.SYS

By Throg
Feb 11, 2006
Topic Status:
Not open for further replies.
  1. I've been trying to sort out some problems on a friend's Windows XP (SP2) PC. When I installed AVG, as he had no up-to-date virus checker installed, it started flagging rofl.sys as a Trojan, but AVG couldn't seem to get rid of it. Having checked out the various threads on this forum discussing this problem, I thought I'd share my experiences. I'd be particularly interested in what some of the more experienced security folk here think, as I'm a mere developer and only deal with security problems when cornered. :)

    I tried all the various techniques suggested in the aforementioned threads but to no avail. In the end, I decided to use the SysInternals NT File Monitor to see what was trying to access rofl.sys, with a view to killing it. This revealed an executable called hseure.exe, supposedly in C:\Windows but which didn't seem to exist.

    I rebooted in Safe Mode, ran RegEdit and searched the Registry for hseure.exe. I found it referenced several times in Registry entries that looked like they belonged to a mysterious Windows Service called "HSecurity". I checked with Service Manager and sure enough this service was listed. Feeling I had nothing to lose, I deleted the registry entries for HSecurity, rebooted and AVG stopped flagging accesses to rofl.sys. HSecurity is no longer listed as a service.

    I've now deleted rofl.sys but I still can't find any files on the box related remotely to HSecurity or hseure.exe. AVG now gives an all-clear when I do a full system scan. What is nagging me is that this Trojan sneaked onto the PC somehow, most likely because my mate has young children and installs all sorts of cheapo (and probably compromised) kids' software.

    Just to complete the picture, here's the HJT log from when I ran it in Safe Mode just prior to deleting the Registry entries mentioned above.

    Logfile of HijackThis v1.99.1
    Scan saved at 18:49:02, on 11/02/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
    C:\Program Files\Security Tools\Hijack This\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.net/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://cwshredder.net/cwshredder/cwsredir.php?target=tmas
    O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
    O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
    O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
    O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.net/
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

    Thanks in advance for any help.
  2. Tedster

    Tedster Techspot old timer..... Posts: 10,074   +13

    rofl.sys is part of a rootkit. an anti-virus program is not designed to remove it.
    rootkits require specialized removal.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.